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Guideline on Supervision of Stored Value Facility Licensees 


1. Introduction 


1.1. The Guideline on Supervision of Stored Value Facility Licensees (the 
Guideline) is issued by the Hong Kong Monetary Authority (HKMA) 
pursuant to section 54(1A)(b) of the Payment Systems and Stored Value 
Facilities Ordinance (PSSVFO). It aims to set out the high level 
supervisory principles that the HKMA adopts in assessing whether certain 
requirements imposed on stored value facility (SVF) licensees are 


complied with. 


1.2. In order to fulfil the relevant statutory obligations or other relevant 
provisions of the PSSVFO, SVF licensees should strive to adhere to those 
supervisory principles as set out in the Guideline. They should not only 
comply with the letter but, more importantly, the spirit of the various 
provisions of the PSSVFO as illustrated or explained by the Guideline. 


1.3. To help SVF licensees in better understanding the standards by which the 
principles set out in the Guideline should be applied, the HKMA will 
issue Practice Notes and Frequently Asked Questions as and when 
necessary to provide SVF licensees with additional guidance in respect of 
specific sections or paragraphs of the Guideline. 
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2:2: 


2.3. 


2.3.1. 


Principal Business and Financial Resources 


Introduction 


Paragraph 1 of Part 2 of Schedule 3 of the PSSVFO stipulates that the 
principal business of a licensee must be the issue of SVF or the facilitation 
of the issue of SVF under a licence. Paragraph 2 of Part 2 stipulates the 
minimum licensing criteria in relation to financial resources for operating 
an SVF scheme. This chapter sets out the high level principle 


requirements a licensee must comply in relation to these two aspects. 
Principal business requirement 


A licensee can generally engage in activities that add values to its 
principal business or provide better services to SVF users. To ensure 
that such activities will not significantly disrupt or distract attention to its 
principal business, a licensee should conduct appropriate risk assessment 
to ensure that it can effectively identify, monitor and manage all relevant 
risks and that the safety and efficiency of the SVF as well as the interest 
of its SVF users are not compromised. Documentation of the risk 
assessment should be properly maintained for periodic review by 
independent parties such as Internal Auditor, External Auditors, or the 
HKMA. Where a licensee expects that a new activity may draw public 


attention or may have potential reputational implications, it should notify 
the HKMA about its plan. 


For the avoidance of doubt, a licensee is not allowed to carry on financial 
intermediation. A licensee is also not allowed to conduct regulated 
activities under the Securities and Futures Ordinance, the Mandatory 
Provident Fund Schemes Ordinance, or the Insurance Companies 
Ordinance. Other types of non-payment finance-related activities (such 


as lending and financial intermediary activities) are generally not allowed. 


Financial resources requirements 


A licensee must satisfy the Monetary Authority (MA ) that it has: 
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2.3.3. 


2.3.4. 


2.3.5. 


(i) paid-up share capital of not less than HK$25,000,000 or an 


equivalent amount in any other currency approved by the MA; or 


(ii) other financial resources are equivalent to or exceed 
HK$25,000,000. 


The criteria on financial resources as stated in the PSSVFO are only 
meant to be a minimum requirement. As a general principle, a licensee 
should be able to demonstrate that its financial resources are sufficient for 
implementing its business model in a safe, efficient and sustainable 


manner, without compromising the interests of SVF users. 


In order that the interests of SVF users can be protected at all times, a 
licensee should demonstrate that should it decide to exit the SVF business 
it will be able to maintain sufficient financial resources to facilitate an 


orderly exit, including a smooth refunding process. 


The HKMA may impose a higher financial resources requirement if, 
taking into account the scale and complexity of a licensee’s business, it 
considers such a requirement important in ensuring that the licensee 
concerned has the ability to fulfil its regulatory obligations under the 
PSSVFO. 


The proportion of the financial resources of a licensee equivalent to the 
financial resources requirement (i.e. the minimum financial resources 
requirement of HK$25,000,000 but if a higher financial resources 
requirement is imposed by the HKMA, the higher requirement) should 
only be used for the purposes of its business activities and should not be 
used for any dealing with its related companies or parties, including 


shareholders, directors and senior management staff. 
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3.1.1. 


3.2. 


32:13 


3.2.2. 


3.2.3. 


Corporate Governance 


Introduction 


Section 80(1) of the PSSVFO requires a licensee to ensure that the 
operation of any SVF issued is conducted in a safe and efficient manner. 
Section 8Q of the PSSVFO requires a licensee to ensure that all the 
minimum criteria set out in Schedule 3 of the PSSVFO are fulfilled. 
Paragraph 5 of Part 2 of Schedule 3 stipulates that a licensee must have in 
place appropriate risk management policies and procedures for managing 
the risks arising from the operation of its SVF business that are 


commensurate with the scale and complexity of the scheme. 


Corporate governance 


A licensee is required to have in place sound governance arrangement for 
the purpose of effective decision-making and proper management and 
control of the risks of its business and operations. Such arrangement 
should include, among others, clear organizational structure with 
well-defined, transparent and consistent lines of responsibility. There 
should also be clear documentations on decision making procedures, 


reporting lines, internal reporting and communication process. 


A licensee’s board should be ultimately responsible for the sound and 
prudent management of a licensee’s SVF business operations. As such, 
the responsibilities, organization, functioning, and composition of the 


licensee’s board of directors must be clearly defined and documented. 


The board should have an adequate number and appropriate composition 
of members to ensure sufficient checks and balances and collective 
expertise for effective, objective decision-making. The size and 
composition of the board will vary from institution to institution 
depending on the size and complexity of the licensee and the nature and 
scope of its activities. As a general benchmark for demonstrating 
sufficiency of checks and balances, normally one-third of their board 


members should be independent non-executive directors (INED). 
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3.2.5. 


3.2.6. 


3.3. 


3.3.1. 


The board should clearly define appropriate internal governance practices 
and procedures for the conduct of its own work and have in place the 
means to ensure that such practices are followed and periodically 


reviewed with a view to ongoing improvement. 


Whilst the board is ultimately responsible for the overall soundness of a 
licensee, the appointment of competent management is key to achieving 
the objective of a soundly and efficiently run licensee. The board works 
with a senior management team (senior management) to achieve this and 


senior management remains accountable to the board. 


Senior management are responsible and accountable for running the 
business of a licensee effectively and prudently in accordance with the 
business strategies, policies, risk appetite, as well as delegation of 


authorities set down by the board. 


Fitness and propriety of officers and controllers 


Section 8ZZV of the PSSVFO stipulates that a person must not become a 
chief executive or director of a licensee except with the MA’s consent. 
Sections 8ZZF and 8ZZG of the PSSVFO stipulate that the MA’s consent 
must be obtained for a person to become controller of a licensee. 
Paragraph 3 and 4 of Part 2, Schedule 3 of the PSSVFO stipulate the 
requirements concerning the fitness and propriety of the chief executive, 
directors, controllers and managers, as well as relevant knowledge and 
experience of officers responsible for implementing the SVF scheme or 
the day-to-day management of the scheme. In considering the fitness 
and propriety of the chief executive, directors, controllers and managers of 
a licensee, the HKMA will take into account factors including, among 
others, the integrity, willingness to uphold professional ethics and industry 
good practices, and competence of the person concerned. Paragraphs 
3.3.2 to 3.3.4 below set out the HKMA’s general expectations in relation 
to the fitness and propriety of chief executives, directors, controllers and 
managers of a licensee. It should be noted that the onus is on the 
applicant to make out a case that he is fit and proper for the position 


concerned. 
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3.3.2.1. 


3:33; 


3.3.3.1. 


3.3.3.2. 


3.3.4. 


3.3.4.1. 


3.3.4.2. 


Directors and chief executives 


Given the leadership role of directors and chief executives, fitness and 
propriety will be assessed taking into consideration of their integrity and 
competence, which will generally be assessed in terms of relevant 
knowledge, experience, judgment as well as leadership. Their 
commitment and ability to devote sufficient time and attention to the SVF 
business will also be assessed. The standards required of persons in these 
respects will vary considerably, depending on the scale and complexity of a 


licensee’s operations. 


Controllers 


In assessing the fitness and propriety of controllers, a key consideration is 
the influence that a controller could potentially have on the interests of the 
users and potential users of the scheme concerned. This has to be assessed 
in the context of the circumstances of individual cases. The general 
presumption is that the greater the influence on the licensee, the higher the 
standard will be for the controller to fulfil the criterion. Willingness and 
ability to work collaboratively with other controllers and the management 


team will also be a key factor of consideration. 


Pursuant to section 3(1) of Schedule 3 to the PSSVFO, a licensee should 
have in place appropriate and adequate systems of control to ensure that the 
HKMA is kept informed of the identity of each of its controller. 


Managers 


Similar principles as set out for directors and chief executives will be 
applied for assessing the fitness and propriety of managers, but assessment 
will be made in the context of the specific businesses or control areas of the 
managers. Pursuant to section 3(3) of Schedule 3 to the PSSVFO, a 
licensee should have in place appropriate and adequate systems of control 
to ensure that each of its managers is a fit and proper person to hold the 


position concerned. 


A licensee should have in place appropriate and adequate systems of control 
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3.4. 


3.4.1. 


3.4.2. 


3.4.3. 


to ensure that the HKMA is notified of, among other things: (a) the date of 
appointment of a manager; (b) particulars of the affairs or business of the 
licensee in relation to which the person has been appointed as a manager; 
and (c) any subsequent changes. The notification must be made within 14 
days after the date on which a person became a manager of the licensee or 
ceased to be a manager of the licensee or any changes associated with such 


appointments. 
Outsourcing 


In the context of good governance, while a licensee may outsource its 
operations to service providers (including independent third parties, 
affiliates or companies within the licensee’s group), the licensee, 
including its board members, chief executive, and relevant managers and 
officers, remains solely responsible for meeting its regulatory obligations 
under the PSSVFO and other relevant regulatory requirements, including 
guidelines, prescribed by the HKMA from time to time. 


A licensee should be ultimately responsible for the quality and security, 
including the reliability, robustness, stability and availability, of the 
outsourced activity as well as the integrity and protection of the 
information held by the service providers to ensure the operation of the 
SVF is conducted in a safe and efficient manner. A licensee should 
retain ultimate control of the outsourced activities and obligations to its 


users. 


When outsourcing any of its operations or functions, a licensee should 
(a) properly plan for the outsourcing arrangements by conducting a 
comprehensive risk assessment to identify and evaluate all risks involved 
and structuring the outsourcing arrangements to ensure that all material 
risks identified (including business interruption risk) have been adequately 
managed before launch and that the outsourcing arrangements will not 
impair the effectiveness of its internal controls or compromise the interest 
of the SVF users; (b) properly implement the outsourcing arrangements by 
performing appropriate due diligence on the service providers, conducting 
appropriate testing to ensure that the services to be rendered fully meet the 


agreed performance standards, executing appropriate outsourcing 
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3.4.4. 


3.4.5. 


3.5. 


3.5.1. 


agreements with the service providers to set out clearly the outsourcing 
arrangements and the related rights and obligations, and carrying out 
proper transfer of the related operations or functions to ensure smooth 
transition; and (c) properly manage the outsourcing arrangements on an 
on-going basis by performing appropriate regular quality review of the 
outsourced operations or functions to ensure that the services being 
rendered continue to meet the agreed performance standards in full and all 
deficiencies identified are duly rectified, conducting appropriate regular 
risk assessment to ensure that all material risks are duly identified, 
evaluated and adequately managed on an on-going basis, and reviewing 
the outsourcing agreements at appropriate intervals to assess whether the 
agreements should be renegotiated and renewed to bring them in line with 
current market standards and to cope with changes in the licensee’s 


business strategies. 


A licensee should ensure that its outsourcing arrangements comply with 
the Personal Data (Privacy) Ordinance (“PDPO”) and any relevant codes 
of practice, guidelines and best practices issued by the Office of the 


Privacy Commissioner for Personal Data (““PCPD”) from time to time. 


Access to data by the relevant authorities’ examiners and the licensee’s 
internal and external auditors should not be impeded by outsourcing. A 
licensee should ensure that adequate and effective arrangements are in 
place to facilitate the on-site examinations or off-site reviews, both 
announced and unannounced by authorized third parties (e.g. licensee’s 


internal auditors, external auditors/assessors and the HKMA). 


Location of senior management 


Section 8ZZU(2) of the PSSVFO requires the chief executive and the 
alternate chief executive to be individuals who are ordinarily residents in 
Hong Kong. Licensee should ensure that this requirement is being 
complied with on an on-going basis. Furthermore, the senior 
management team and the key personnel responsible for scheme operation, 
IT systems, financial management, control and risk management functions, 
compliance and internal audit of the licensee should basically be based in 


Hong Kong. Nevertheless, depending on the nature, scale, complexity of 
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business, and the organization structure of the licensee, part of the senior 
management team may be based outside Hong Kong, provided that proper 


arrangement is made to timely respond to the HKMA. 
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4.1. 


4.2. 


4.3. 


4.4. 


4.4.1. 


General Risk Management and Internal Control 


Systems 


Introduction 


Paragraph 5 of Part 2, Schedule 3 of the PSSVFO stipulates that the 
licensee must have in place appropriate risk management policies and 
procedures for managing the risks arising from the operation of its SVF 
scheme that are commensurate with the scale and complexity of the 
scheme. This chapter sets out the high level principles on the 
requirements on a licensee’s general risk management and internal control 


systems. 


Risk management 


A licensee should have in place effective risk management framework that 
is commensurate with the nature, scale and complexity of their operations 
to help ensure proper identification, monitoring and management of 
various risks. The risk management framework should be approved by 
the Board. A licensee should demonstrate that it has dedicated staff 
resources with sufficient professional knowledge, experience, and 
independence to oversee the quality of its risk management and internal 


control processes. 


Internal controls 


A robust internal control system must be put in place to promote effective 
and efficient operation, safeguard assets, provide reliable financial and 
management information, enable prevention or early detection of 
irregularities, fraud and errors, and ensure compliance with relevant 


statutory and regulatory requirements and internal policies. 


Compliance and internal audit functions 


A licensee should maintain effective (i) compliance function, and (ii) 
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4.4.2. 


4.5. 


4.5.1. 


4.5.2. 


internal audit function to ensure compliance with all applicable legal and 
regulatory requirements as well as its own policies, procedures and 
controls. Among other factors, the quality of a licensee’s compliance 
and internal audit functions will be assessed based on its (i) clear 
governance framework with board level support to ensure effective 
policies and sufficient authorities to perform the functions; (ii) relevant 
professional knowledge and experience; (iii) independence from business 
units; (iv) direct and unfettered access to the board; (v) coverage, 
comprehensiveness and effectiveness of compliance and internal audit 
programs; and (vi) ability to take timely and pro-active rectifying actions 


upon identifying non-compliance or other control deficiencies. 


The compliance function should not be substituted by the internal audit 
function. In exceptional cases where a licensee’s scale of operations may 
not justify having a separate function, the licensee should propose to the 
satisfaction of the HKMA effective alternative arrangements (e.g. hire of 
external services for internal audit function) that do not compromise the 


effectiveness of controls. 
Reporting to regulators 


A licensee should have effective procedures to ensure submission of data 


and information requested by the HKMA in a timely and accurate manner. 


A licensee should have in place effective policies and procedures to 
ensure timely reporting to the HKMA on (i) incidents having a material 
adverse impact on its business, operation, assets, risks or reputation; and 
(ii) breach of any statutory and regulatory requirements by the licensee or 


its officers or employees. 
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3:2: 


5.2.1. 


5.2.2. 


5:2:3; 


5.3. 


5.3.1. 


Information and Accounting Systems 


Introduction 


Section 80 of the PSSVFO stipulates that a licensee must ensure that its 
SVF operation is conducted in a safe and efficient manner calculated to 
minimize the likelihood of any disruption to the functioning of the facility. 
This chapter sets out the high level principle requirements on a licensee’s 
information and accounting systems which are essential to the smooth 


operation of a licensee’s SVF scheme. 


Information and accounting systems 


A licensee should have in place robust information and accounting 
systems to (i) record all business activities in a timely and accurate 
manner; (ii) provide quality management information to enable effective 
and efficient management of business and operations; and (iii) maintain 


appropriate audit trails to demonstrate effectiveness of controls. 


A licensee should properly maintain books and accounts and prepare 
financial statements and returns in compliance with all applicable 
regulatory reporting requirements and accounting standards in Hong 


Kong. 


A licensee should put in place sufficient back up facilities and disaster 


recovery arrangements for their information and accounting systems. 
Record keeping 


A licensee should have in place adequate record keeping policies and 
systems for maintaining accurate and sufficient records of its books, 
accounts, management decisions and business activities, including 
transactions of users. Such records should be maintained for a sufficiently 
long period, taking into account relevant statutory and regulatory 


requirements. 
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5.4.1. 


5.5. 


5.5.1. 


Data protection 


A licensee should have in place adequate policies, measures and 
procedures to protect their information and accounting systems, databases, 
books and accounts, and other records and documents from unauthorized 


access, unauthorized retrieval, tampering and misuse. 


Information and accounting systems located outside Hong 
Kong 


A licensee with operations, information and accounting systems located 
outside Hong Kong should have in place effective arrangements to enable 
the regular and ad hoc review of the system, either on-site or off-site, by 
authorized parties including the HKMA. The arrangements should allow 
unrestricted access to the licensee’s premises and systems outside Hong 
Kong, and that necessary prescribed consent to the arrangements should 


be obtained from the local authorities, if any, in the relevant jurisdictions. 
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6.2. 


6.3. 


Management of Float and SVF Deposit 


Introduction 


Section 7 of Part 2 of Schedule 3 of the PSSVFO sets out the minimum 
criteria regarding protection and management of float and SVF deposit 
which licensees must fulfill. This chapter sets out the high level 
principles and requirements in respect of protection and management of 
the float and SVF deposit. 


General principle 


A licensee should have in place an effective and robust system to protect 
and manage the float and SVF deposit to ensure that all funds are 
deployed for prescribed usage only, that funds belonging to SVF users are 
protected against claims by other creditors of SVF issuers in all 
circumstances, and that funds are protected from operational and other 


relevant risks. 
Protection of float and SVF deposit 


A licensee should put in place an effective trust arrangement to ensure the 
legal right and priority claim of the float and SVF deposit by users in the 
event of insolvency of a licensee. If justifications are provided by a 
licensee, an effective bank guarantee and/or insurance coverage may be 
used as an alternative or supplementary arrangement. For the avoidance 
of doubt, money in transit arising from an SVF user choosing direct debit 
from his/her bank account or credit card account instead of his/her SVF 
user account are treated as float received from the SVF user and should 


accordingly be accorded the same level of protection. 


Where circumstances warrant a trigger to refund the float and SVF deposit 
to users, the trust arrangement should operate to the effect that proper 
legal positions and authorisations are in place to ensure a smooth and 


efficient refund process. 
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6.4.1. 


6.4.2. 


A licensee should ensure that there are sufficient funds for the refund of 
the float and SVF deposit to all SVF users at all times and there are 
sufficient additional funds to pay for the costs of distributing the float and 
SVF deposit to all SVF users in case of need. 


A licensee should ensure that all user accounts in the SVF scheme users 
ledger are maintained in an accurate and timely manner and that the 
aggregate balance of all user accounts in the ledger accurately reflects the 
total amount of the float and SVF deposit of the SVF scheme at all times. 


The assets, including cash and bank deposits, in which the float and SVF 
deposit of an SVF scheme are held should be segregated from the 
licensee’s own funds as well as funds received for the licensee’s other 


business activities. 


A licensee should put in place effective internal control measures and 
procedures, which constitute an integral part of the licensee’s overall 
robust internal control system, to protect the float and SVF deposit from 
all operational risks, including the risk of theft, fraud and 


misappropriation. 
Management of float and SVF deposit 


Float and SVF deposit of an SVF scheme should be managed mainly for 
the purpose of liquidity management to ensure that there will always be 
sufficient funds for redemption. A licensee should put in place effective 
liquidity management policies, guidelines and control measures 
commensurate with the mode of operation of the SVF scheme in respect 
of the assets in which the float and SVF deposit are held. 


A licensee should not adopt a business model that takes investment returns 
from float management as a significant source of income. A licensee 
proposes to hold a proportion of the float and SVF deposit in low risk 
financial assets other than cash or bank deposits should obtain the 
HKMA’s prior written consent by demonstrating to the HKMA that the 
float and SVF deposit will be adequately protected from all relevant risks, 


including investment risk, market risk, concentration risk and liquidity 
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6.4.3. 


6.5. 


6.5.1. 


6.6. 


6.6.1. 


risk, etc. The licensee seeking the HKMA’s prior consent should at least 
put in place adequate investment policies and guidelines and effective 
control measures to protect the float and SVF deposit from all relevant 


risks. 


Unless effective currency risk management policies, guidelines and 
control measures are put in place, mismatch between the currency 
denomination of the float or SVF deposit and that of the assets in which 
the float and SVF deposit are held is generally not allowed except for the 
mismatch between HK dollar and US dollar positions. 


Additional regulatory requirements 


Additional requirements in respect of the protection and management of 
float and SVF deposit may be imposed if the circumstances of the licensee 
concerned so require, e.g. when there are inherent insufficiencies in the 


control environment of the licensee concerned. 


Reporting to the HKMA 


In respect of the protection and management of float and SVF deposit, any 
material non-compliance with any regulatory requirements or internal 
policies, procedures and controls as well as any material unresolved 
discrepancies identified in any reconciliation should be reported to the 


HKMA immediately through the established communication channels. 
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72.13 


7.2.2. 


Specific Risk Management 


Introduction 


Paragraph 5 of Part 2 of Schedule 3 of the PSSVFO stipulates that the 
licensee must have in place appropriate risk management policies and 
procedures for managing the risks arising from the operation of its SVF 
scheme that are commensurate with the scale and complexity of the 
scheme. This chapter sets out the high level principles on the 
requirements in relation to specific risk management for the purpose of 


complying with the relevant statutory requirements. 


Technology risk management 


A licensee should establish an effective technology risk management 
framework to ensure (i) the adequacy of IT controls, (ii) the quality and 
security, including the reliability, robustness, stability and availability, of 
its computer systems, and (iii) the safety and efficiency of the operations 
of the SVF. The framework should be “fit for purpose”, i.e. 
commensurate with the risks associated with the nature, size, complexity 
and types of business and operations, the technologies adopted and the 
overall risk management systems of the licensee. A licensee should 
allocate its technology resources between business development and risk 
management appropriately to ensure that sufficient resources are devoted 
to the latter. 


Given that the risk of IT operational incidents (e.g. service interruptions) 
cannot be completely eliminated, a licensee should establish an incident 
management framework with sufficient management oversight to ensure 
effective incident response and management capability to deal with 
significant incidents properly. This includes (i) timely reporting to the 
HKMA of any confirmed IT-related fraud cases or major security breaches, 
including cyber attacks, cases of prolonged disruption of service, and 
systemic incidents where users suffer from monetary loss or frustrating 
user experience (e.g. data leakage) and (ii) a communication strategy to 


address the concerns of any stakeholders may have arising from the 
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7.3. 


7.3.1. 


7.3.2. 


7.3.3. 


7.3.4. 


7.3.5. 


incidents and restore the reputational damage that the incidents may 


cause. 


A licensee should have in place adequate measures to maintain 
appropriate segregation of databases for different purposes to prevent 
unauthorized or unintended access or retrieval and that robust access 
controls are enforced to ensure the confidentiality and integrity of the 
databases. In respect of any personal data of users, including merchants, 
a licensee should at all times comply with the PDPO as well as any 
relevant codes of practice, guidelines or best practice issued by the Office 
of the PCPD from time to time. 


Payment security management 


A licensee should put in place a robust payment security management 
framework that is commensurate with the scale and nature of payment 
security risks associated with its SVF schemes to effectively monitor, 
identify, evaluate, respond and mitigate the payment security risks arising 


from the operation of the SVF schemes. 


A licensee should have adequate policies and procedures on the ownership, 
classification, storage, transmission, processing and retention of 
information collected from users through registration of SVF service and 
execution of payment transactions to ensure confidentiality and integrity 


of the information. 


A licensee should implement adequate security measures to protect each 
payment channel (including cards and user devices) provided to users for 


using its SVF against all material vulnerabilities and attacks. 


A licensee should implement adequate payment security controls to ensure 
the authenticity and traceability of payment transactions and detect 


fraudulent transactions. 


A licensee should authenticate the identity of SVF users before they can 
administer their SVF accounts and initiate high-risk transactions. Timely 


notification should be sent to users after these activities. 
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EST: 


7.3.8. 


7.4. 


7.4.1. 


7.4.2. 


TS: 


Tsd 


A licensee should provide advice and assistance to users on the secure use 


of SVF through an effective communication channel. 


A licensee should guard against current and upcoming cyber security risks 
associated with its SVF by monitoring the trends in cyber threats, 
implementing adequate protective measures and performing periodic 


security testing. 


A licensee should provide efficient and reliable SVF payment services 


which are commensurate with the mode of operation of its SVF. 


Business continuity management 


A licensee should have in place adequate business continuity management 
(BCM) programs to ensure continuation, timely recovery, or in extreme 
situations orderly scale-down of critical operations in the event of major 


disruptions caused by different contingent scenarios. 


The board and senior management of a licensee have the ultimate 
responsibility for BCM and the effectiveness of their business continuity 
plans. It should ensure that BCM programs are duly implemented and 
taken seriously by all levels of staff and that sufficient resources are 


devoted to implementing the plan. 


Reputation risk management 


A licensee should establish and implement an effective process for 
managing reputation risk that is appropriate for the size and complexity of 
its operations. A licensee should integrate into its business processes 
proper due diligence work to (i) critically assess the potential reputational 
implications of its plans and activities for itself and for the industry; (ii) 
take proactive actions to avoid or contain the identified risks; and (iii) 
respond swiftly to mitigate the potential impact should such risks 
materialise. A licensee should also devote appropriate resources to 
conduct surveillance work with a view to identifying any issues with 
reputational implications for its operations. The objective is to protect 


the licensee from potential threats to its reputation and, should there be a 
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7.6. 


7.6.1. 


reputation event, minimize the effects of such an event. 


In implementing reputation risk management process, licensees should 
ensure that the relevant process is capable of detecting and responding 
swiftly to new and emerging threats to reputation, monitoring the 
changing status of risks, providing early warning of potential problems to 
enable remedial actions to be taken, and providing assurance that the risks 
affecting reputation are under control. A licensee should notify the 
HKMA promptly of any incident which, in its view, may have significant 


implications for its reputation. 
Liquidity risk management 


A licensee should establish and implement an effective process for 
managing liquidity risk that is appropriate for the size and complexity of 
its operations. The objective is to ensure that the licensee will have 
sufficient liquidity to meet different financial obligations arising from its 
day-to-day operations as well as redemption requests under all plausible 


circumstances. 
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Business Practices and Conduct 


Introduction 


Section 10(2)(b) of Part 2 of Schedule 3 of the PSSVFO stipulates that the 
SVF schemes must be operated prudently and with competence in a 
manner that will not adversely affect the interests of the user or potential 
user of the SVF. This chapter sets out the high level principles and 
requirements applicable to a licensee’s business practices and conduct for 


the purpose of complying with the relevant statutory requirements. 
Standard of conduct and business practices 


A licensee should ensure that its business is operated in a responsible, 
honest and professional manner. A licensee should treat all users, 
including merchants, equitably, honestly and fairly at all stages of their 
relationship with the licensee. A licensee should also act in a manner that 
will not adversely affect the interests of the user or potential user or the 


stability of any payment system in Hong Kong. 


A licensee should be responsible for the acts or omissions of its employees, 
service providers and agents in respect of the conduct of its business. 
Employees and agents of a licensee should be properly trained and 


qualified. 


A licensee should ensure that it adopts, and if needed develops, good 


business practices that can demonstrate its standard of conduct. 


A licensee is not allowed to provide interest payment or interest-like 


incentive scheme based on the volume of float. 
Schemes and operating rules 
The operating rules of an SVF scheme should be fair to all parties 


concerned. A licensee should operate its SVF scheme in strict 


accordance with the relevant operating rules. 
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The operating rules of an SVF scheme should provide that a value of an 
amount no less than the amount of funds received by a licensee or its 
agent from a user will be credited to the account of the user and made 
available for use by the user in a timely manner according to the operating 


rules. 


A reasonable limit, supported by business justifications and control 
measures, should be set for the maximum amount that can be stored in 
each type of user accounts under a scheme. Different storage limits can 
be set for different types of user accounts according to their respective 
features. All limits should be set out in the operating rules. The 
HKMA may request a licensee to change the limits if the business 
justifications and control measures put up by the licensee is considered 


unsatisfactory. 


A licensee should set out and explain clearly the key features, risks, terms 
and conditions, and applicable fees, charges and commissions of its 
schemes, facilities, services and products. Such details should be 
effectively communicated and made available to the relevant users, 
including merchants. Additional disclosures, including appropriate 
warnings, should be developed to provide information commensurate with 
the nature, complexity and risks of the schemes, facilities, services and 
products. In particular, the related contract with a user under a scheme 
should state clearly and prominently the amount of the fee and charge 
payable and the circumstances in which the fee and charge becomes 


payable. 


A licensee should be solely responsible for the robustness of its SVF 
scheme and as such it should bear the full loss of the value stored in a user 


account where there is no fault on the part of the user. 


Except for anonymous cards, a licensee should have in place convenient 
and timely means to enable users to (i) report and/or disable lost cards; 
and (ii) report that the SVF has been compromised. Such means should 
be effectively communicated to users. A licensee on being advised of a 
loss, theft or possible misuse of a card/SVF should take prompt action to 
prevent further use of the card/SVF. A licensee should give clear and 
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prominent notice to users if they may have to bear a loss when a card has 
been used for an unauthorized transaction before the user has reported 


and/or disabled lost cards/compromised SVF. 


A licensee should, where technically feasible, provide timely transaction 
notifications to users and, to a reasonable extent, make available to users 
transaction records with sufficient details and the outstanding stored value 
of user accounts. A licensee should provide a service to users who need 
to obtain records of their transactions with sufficient details for a 


reasonable time period. 


A licensee should have in place fair and effective rules and mechanisms to 
deal with alleged unauthorized transactions claimed by users and 


effectively communicated such rules and mechanisms to users. 
Complaints handling 


A licensee should have in place an effective complaint management 
system to ensure that complaints from SVF users are fully and promptly 


handled and resolved in a satisfactory manner. 


The complaint management system of a licensee should be comprehensive, 
transparent, accessible to SVF users and easy to invoke, fair and impartial, 
consistent in its approach to the provision of redress, flexible and efficient, 
and able to maintain appropriate confidentiality, keep sufficient records, 
resolve complaints, identify and remedy the problems revealed by the 
complaints and provide appropriate feedback to the HKMA. 


Business exit plan 


With a view to minimizing the potential impact that a failure, disruption, 
or exit of a licensee would have on SVF users and the payment systems in 
Hong Kong, a licensee is required to maintain viable plans for an orderly 
exit of its business and operations should other options be proven not 


possible. 


Among other things, a business exit plan should (i) identify a range of 
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remote but plausible scenarios which may render it necessary for a 
licensee to consider an exit; (ii) develop risk indicators to gauge the 
plausibility of the identified scenarios; (iii) set out detailed, concrete, and 
feasible action steps to be taken upon triggering the exit plan; (iv) assess 
the time and cost required to implement the exit plan in an orderly manner; 
and (v) set out clear procedures to ensure that sufficient time and financial 


resources are available to implement the exit plan. 


A licensee’s business exit plans should form part of the operating rules of 
the SVF scheme and the arrangement should where appropriate be 
reflected in the terms and conditions of the SVF schemes and made 
known to SVF users. A licensee should ensure that its business exit 
plans have made sufficient provisions for financial and administrative 
resources to meet the float redemption and other relevant administrative 


processes. 


A licensee is required to discuss with the HKMA in devising and 


introducing changes to its business wind-down plans. 
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